python-discord · jchristgit · Nov 13, 2025 · Nov 13, 2025
diff --git a/ansible/roles/dovecot/tasks/main.yml b/ansible/roles/dovecot/tasks/main.yml
@@ -98,17 +98,6 @@
   tags:
     - role::dovecot
 
-- name: Set up sieve configuration for dovecot
-  lineinfile:
-    path: /etc/dovecot/conf.d/90-sieve.conf
-    regexp: "sieve_after ="
-    line: "  sieve_after = /etc/dovecot/sieve-after  # (ansible managed)"
-    state: present
-  notify:
-    - Reload Dovecot
-  tags:
-    - role::dovecot
-
 - name: Create dovecot spam & ham sieve scripts
   template:
     src: "{{ item }}.j2"
@@ -149,60 +138,35 @@
   tags:
     - role::dovecot
 
-- name: Enable dovecot spamc learning integration
-  blockinfile:
-    path: /etc/dovecot/conf.d/90-sieve.conf
-    insertbefore: "^}$"
-    content: |2
-        # From elsewhere to Junk folder
-        imapsieve_mailbox1_name = Junk
-        imapsieve_mailbox1_causes = COPY
-        imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve
-
-        # From Junk folder to elsewhere
-        imapsieve_mailbox2_name = *
-        imapsieve_mailbox2_from = Junk
-        imapsieve_mailbox2_causes = COPY
-        imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve
-
-        sieve_pipe_bin_dir = {{ dovecot_sieve_pipe_bin_dir }}
-        sieve_global_extensions = +vnd.dovecot.pipe
-        sieve_plugins = sieve_imapsieve sieve_extprograms
-        imapsieve_url = sieve://127.0.0.1:4190
-    marker: "  # {mark} spam & ham autolearning (ansible managed)"
-    state: present
-  notify:
-    - Reload Dovecot
-  tags:
-    - role::dovecot
-
-- name: Template Dovecot LDAP config
-  template:
-    src: dovecot-ldap.conf.ext.j2
-    dest: /etc/dovecot/dovecot-ldap.conf.ext
-    group: root
-    owner: root
-    mode: "0600"
+# BEGIN temporary cleanup task
+- name: Kill Dovecot LDAP config
+  file:
+    path: /etc/dovecot/dovecot-ldap.conf.ext
+    state: absent
   tags:
     - role::dovecot
   notify:
     - Reload Dovecot
+# END temporary cleanup task
 
 - name: Template Dovecot component configurations
   template:
     src: "configs/{{ item }}.j2"
     dest: "/etc/dovecot/conf.d/{{ item }}"
     group: root
     owner: root
-    mode: "0644"
+    mode: "0600"
   loop:
+    - 10-director.conf
     - 10-mail.conf
     - 10-master.conf
     - 10-auth.conf
     - 10-ssl.conf
     - 15-mailboxes.conf
     - 20-lmtp.conf
     - 20-imap.conf
+    - 90-acl.conf
+    - 90-sieve.conf
     - auth-ldap.conf.ext
   tags:
     - role::dovecot

diff --git a/ansible/roles/dovecot/templates/configs/10-auth.conf.j2 b/ansible/roles/dovecot/templates/configs/10-auth.conf.j2
@@ -4,15 +4,18 @@
 ## Authentication processes
 ##
 
-# Disable LOGIN command and all other plaintext authentications unless
-# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
+#log_debug=category=auth
+#auth_debug_passwords = yes
+
+# Enable LOGIN command and all other plaintext authentications even if
+# SSL/TLS is not used (LOGINDISABLED capability). Note that if the remote IP
 # matches the local IP (ie. you're connecting from the same computer), the
-# connection is considered secure and plaintext authentication is allowed.
-# See also ssl=required setting.
-disable_plaintext_auth = yes
+# connection is considered secure and plaintext authentication is allowed,
+# unless ssl = required.
+auth_allow_cleartext = no
 
 # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
-# bsdauth and PAM require cache_key to be set for caching to be used.
+# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
 #auth_cache_size = 0
 # Time to live for cached data. After TTL expires the cached record is no
 # longer used, *except* if the main database lookup returns internal failure.
@@ -32,7 +35,7 @@ disable_plaintext_auth = yes
 
 # Default realm/domain to use if none was specified. This is used for both
 # SASL realms and appending @domain to username in plaintext logins.
-#auth_default_realm =
+#auth_default_domain =
 
 # List of allowed characters in username. If the user-given username contains
 # a character not listed in here, the login automatically fails. This is just
@@ -46,11 +49,10 @@ disable_plaintext_auth = yes
 # that '#' and '/' characters are translated to '@'.
 #auth_username_translation =
 
-# Username formatting before it's looked up from databases. You can use
-# the standard variables here, eg. %Lu would lowercase the username, %n would
-# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
-# "-AT-". This translation is done after auth_username_translation changes.
-auth_username_format = %Ln
+# Username formatting before it's looked up from databases.
+auth_username_format = %{user|lower}
+#auth_username_format = %{user|username|lower}
+
 
 # If you want to allow master users to log in by specifying the master
 # username within the normal username string (ie. not using SASL mechanism's
@@ -62,11 +64,6 @@ auth_username_format = %Ln
 # Username to use for users logging in with ANONYMOUS SASL mechanism
 #auth_anonymous_username = anonymous
 
-# Maximum number of dovecot-auth worker processes. They're used to execute
-# blocking passdb and userdb queries (eg. MySQL and PAM). They're
-# automatically created and destroyed as needed.
-#auth_worker_max_count = 30
-
 # Host name to use in GSSAPI principal names. The default is to use the
 # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
 # entries.
@@ -78,7 +75,7 @@ auth_username_format = %Ln
 #auth_krb5_keytab =
 
 # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
-# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
+# ntlm_auth helper. <https://doc.dovecot.org/latest/core/config/auth/mechanisms/winbind.html>
 #auth_use_winbind = no
 
 # Path for Samba's ntlm_auth helper binary.
@@ -96,10 +93,10 @@ auth_username_format = %Ln
 #auth_ssl_username_from_cert = no
 
 # Space separated list of wanted authentication mechanisms:
-#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
-#   gss-spnego
-# NOTE: See also disable_plaintext_auth setting.
-auth_mechanisms = plain login
+#   plain login digest-md5 cram-md5 ntlm anonymous gssapi
+#   gss-spnego xoauth2 oauthbearer
+# NOTE: See also auth_allow_cleartext setting.
+#auth_mechanisms = plain login
 
 ##
 ## Password and user databases
@@ -111,15 +108,16 @@ auth_mechanisms = plain login
 # allow both system users (/etc/passwd) and virtual users to login without
 # duplicating the system users into virtual database.
 #
-# <doc/wiki/PasswordDatabase.txt>
+# <https://doc.dovecot.org/latest/core/config/auth/passdb.html>
 #
 # User database specifies where mails are located and what user/group IDs
 # own them. For single-UID configuration use "static" userdb.
 #
-# <doc/wiki/UserDatabase.txt>
+# <https://doc.dovecot.org/latest/core/config/auth/userdb.html>
 
 #!include auth-deny.conf.ext
 #!include auth-master.conf.ext
+#!include auth-oauth2.conf.ext
 
 #!include auth-system.conf.ext
 #!include auth-sql.conf.ext

diff --git a/ansible/roles/dovecot/templates/configs/10-director.conf.j2 b/ansible/roles/dovecot/templates/configs/10-director.conf.j2
@@ -0,0 +1,62 @@
+# {{ ansible_managed }}
+
+##
+## Director-specific settings.
+##
+
+# Director can be used by Dovecot proxy to keep a temporary user -> mail server
+# mapping. As long as user has simultaneous connections, the user is always
+# redirected to the same server. Each proxy server is running its own director
+# process, and the directors are communicating the state to each others.
+# Directors are mainly useful with NFS-like setups.
+
+# List of IPs or hostnames to all director servers, including ourself.
+# Ports can be specified as ip:port. The default port is the same as
+# what director service's inet_listener is using.
+#director_servers =
+
+# List of IPs or hostnames to all backend mail servers. Ranges are allowed
+# too, like 10.0.0.10-10.0.0.30.
+#director_mail_servers =
+
+# How long to redirect users to a specific server after it no longer has
+# any connections.
+#director_user_expire = 15 min
+
+# How the username is translated before being hashed. Useful values include
+# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared
+# within domain.
+#director_username_hash = %Lu
+
+# To enable director service, uncomment the modes and assign a port.
+service director {
+  unix_listener login/director {
+    #mode = 0666
+  }
+  fifo_listener login/proxy-notify {
+    #mode = 0666
+  }
+  unix_listener director-userdb {
+    #mode = 0600
+  }
+  inet_listener schweinehund {
+    #port =
+  }
+}
+
+# Enable director for the wanted login services by telling them to
+# connect to director socket instead of the default login socket:
+service imap-login {
+  #executable = imap-login director
+}
+service pop3-login {
+  #executable = pop3-login director
+}
+service submission-login {
+  #executable = submission-login director
+}
+
+# Enable director for LMTP proxying:
+protocol lmtp {
+  #auth_socket_path = director-userdb
+}